Android Botnet Caught Red-handed
July 6, 2012

Android Botnet Caught Red-handed

Enid Burns for — Your Universe Online

It's an evil triangle that touches all three of the major search engines. Microsoft engineer Terri Zink uncovered spam revealing a botnet running on Android mobile phones using Yahoo! Mail. The good news, if there is any, is that the malware is somewhat traceable due to the Yahoo! Mail IP addresses listed in the headers of the email.

Zink, who writes the Cyber Security Blog on MSDN Blogs, identified the spam messages earlier this week. "We've all heard the rumors, but this is the first time I have seen it - a spammer has control of a botnet that lives on Android devices," he said in a blog post.

RedOrbit contacted Zink, who had no comment at press time. However a follow-up post comments on some reports on the web. Zink addresses a comment posted on BBC News that says evidence of the botnet "could not be proven." Zink agrees that while he identified the botnet, proof that it's originating from Android devices is not there. "That's true," he comments.

Others in the internet security space also raise the question as to whether the emails identified are actually coming from an Android botnet. "I currently can't confirm - or deny - the existence of this supposed Android botnet," says Roel Schouwenberg, senior malware researcher at Kaspersky. "The mentioned blog post doesn't provide actual proof of its existence. The evidence put forward to claim that this is an Android botnet is based on data which is easily spoofed [or] forged."

Messages appear to be originating from Yahoo! Mail accounts using Android. All the messages Zink discovered had the following identification:


Message-ID: [email protected]


The messages were also all stamped with the familiar "Sent from Yahoo! Mail on Android" that's posted at the bottom of all messages sent from the mobile devices.

It is possible that the Android addresses are being spoofed in order to get past certain security measures. "The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," remarked a Google spokesperson to CNET reporter Elinor Mills.

Google is taking the threat seriously and is investigating the situation.

Tracking the IP addresses, Zink was able to identify where the IPs were geo-located. Most of the messages originated from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudia Arabia, Thailand, Ukraine and Venezuela.

If the existence of a botnet on the Android network is real, it might not be as serious a threat if it can be contained. "If the issue is limited to mail delivered via Yahoo! Mail servers (the key that alerted the Microsoft engineer who discovered the botnet), it's effects could be relatively limited. At this point, the issue needs to be studied in greater detail to see how deeply users should be concerned," Charles King, principal analyst at Pund-IT, told redOrbit.

The countries of origin indicate that the botnet has control of users mostly in developing countries. "I've written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace," says Zink, in his blog. "But if you get it from some guy in a back alley on the internet, the odds go way up."

Best practices include vetting the apps a user installs on any device. Most legitimate apps are found in the Android Marketplace. There are a few other reliable sources for Android apps, including marketplaces set up by and the Opera browser.

In a few cases, Android users have gotten malware on their devices by downloading "free" versions of paid apps. Google has taken steps to eliminate apps containing malware in its Android Marketplace. Due to the locations where the messages are originating, it's likely in this case that the apps were downloaded from sources other than Google's Android marketplace.

The discovery of a botnet run on Android devices highlights new concerns, and a potential influx of new spam emails worldwide. Zink sums it up on his blog. "If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive email."

Android is a platform targeted by cybercriminals. That's the word from Graham Cluley, security expert at anti-virus firm Sophos, as he stated to BBC News.

His advice is to vet any apps before they are downloaded. "Before you install apps onto your device, look at the reviews, because there are many bogus apps out there."

Google also reminded BBC News that it continues to make efforts to keep malicious apps off its platform. "Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process," Google provided in a statement from a spokesman.